Aberdeen Group Reports on “The Virtues of Virtual Patching”

Trend Micro Deep Security 9 Solves Organisations’ Patching Challenge

Category:

Marlow, UK 13th November 2012 – With the publication of its Analyst Insight on “The Virtues of Virtual Patching,” research firm Aberdeen Group raises awareness on alternatives to endless cycle of Patch Tuesdays, emergency patches and workarounds, regression testing and unplanned downtime.

Aberdeen's findings show that while current use of patch management is foundational for success, taken by itself it does not differentiate top performance – in other words, success is not only a function of whether a company patches, but also a function of how.

Selected highlights from Aberdeen’s research and analysis include:

On average, about three-fourths (75%) of all companies have current deployments of patch management.

Even if your patching is 100%, some significant residual risks will remain

Vendors in general are unable to keep pace with the number of vulnerabilities and threats: industry sources report that just 58% of the vulnerabilities disclosed in 2011 had vendor patches available on the same day, and 36% still had no patch available three months into 2012.

Based on Aberdeen’s research, the average total cost of a security incident was $130K; incidents that involved loss or exposure of sensitive data saw an average total cost per incident of as much as $640K.

An important patch management strategy to consider is to buy more time; virtual patching refers to the strategic deployment of selected compensating controls to provide a kind of protective shield that allows the organisation more time to assess, plan, test, and remediate threats and vulnerabilities on a schedule of their own choosing.

Virtual patching is one way that companies deal with security issues in their applications. Aberdeen’s research shows that the leading organisations are 2-times more likely (57%) than lagging performers to use virtual patching (26%).

”Virtual patching can represent a strong operational and financial case for the business,” said Derek Brink, vice president and research fellow for IT Security at Aberdeen Group. “Among several other advantages, it can give enterprises the flexibility to patch on their own schedule, and it can help to mitigate the high opportunity cost of unplanned downtime, which can easily range to tens of thousands of dollars per hour. Companies should give strong consideration to virtual patching as a strategy to augment their traditional patch management processes, and to improve the overall efficiency and effectiveness of managing the vulnerabilities and threats to their IT infrastructure.”